Description
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (CloudPagesUrl module) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.
Published: 2026-01-24
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution via argument injection
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an Argument Injection flaw in the CloudPagesUrl module of Salesforce Marketing Cloud Engagement. It permits an attacker to inject malicious command‑line arguments into the web service protocol, potentially leading to arbitrary command execution and compromise of data confidentiality, integrity, or availability. The flaw stems from improper neutralization of argument delimiters, a classic injection weakness.

Affected Systems

Salesforce Marketing Cloud Engagement is impacted, specifically any installation using the CloudPagesUrl module prior to January 21, 2026. No narrower version information is disclosed.

Risk and Exploitability

This flaw carries a CVSS v3.1 score of 9.8, indicating critical severity. The EPSS score is below 1%, suggesting that, in practice, exploitation is unlikely to be widespread at this time, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. Attackers would need remote access to the service endpoints and the ability to submit crafted requests; the likely vector is a remote HTTP(S) request to the affected web service.

Generated by OpenCVE AI on April 18, 2026 at 03:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Salesforce patch or upgrade to a version released after January 21, 2026, which resolves the argument injection in CloudPagesUrl.
  • If an immediate patch is unavailable, disable or restrict external access to the CloudPagesUrl endpoints to prevent unauthorized input.
  • Review all input handling for CloudPagesUrl and implement strict input validation and sanitization to prevent future injection attempts.

Generated by OpenCVE AI on April 18, 2026 at 03:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 03:30:00 +0000

Type Values Removed Values Added
Title Argument Injection in Salesforce Marketing Cloud Engagement CloudPagesUrl Module

Thu, 12 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:salesforce:marketing_cloud_engagement:*:*:*:*:*:*:*:*

Mon, 26 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Salesforce
Salesforce marketing Cloud Engagement
Vendors & Products Salesforce
Salesforce marketing Cloud Engagement

Sat, 24 Jan 2026 00:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (CloudPagesUrl module) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.
Weaknesses CWE-88
References

Subscriptions

Salesforce Marketing Cloud Engagement
cve-icon MITRE

Status: PUBLISHED

Assigner: Salesforce

Published:

Updated: 2026-04-29T19:25:53.535Z

Reserved: 2026-01-07T19:03:25.720Z

Link: CVE-2026-22583

cve-icon Vulnrichment

Updated: 2026-01-26T16:23:53.144Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-24T01:15:50.060

Modified: 2026-02-12T16:12:21.877

Link: CVE-2026-22583

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T03:15:35Z

Weaknesses